Cybervetting job applicants on social media: the new normal?

With the introduction of new information communication technologies, employers are increasingly engaging in social media screening, also known as cybervetting, as part of their hiring process. Our research, using an online survey with 482 participants, investigates young people’s concerns with their publicly available social media data being used in the context of job hiring. Grounded in stakeholder theory, we analyze the relationship between young people’s concerns with social media screening and their gender, job seeking status, privacy concerns, and social media use. We find that young people are generally not comfortable with social media screening. A key finding of this research is that concern for privacy for public information on social media cannot be fully explained by some “traditional” variables in privacy research. The research extends stakeholder theory to identify how social media data ethics should be inextricably linked to organizational practices. The findings have theoretical implications for a rich conceptualization of stakeholders in an age of social media and practical implications for organizations engaging in cybervetting.


Introduction
Human resource (HR) managers have traditionally been required to do more with less resources-particularly in recent years (DiRomualdo et al. 2018). As one of the organizational responses to chronic under-resourcing (Berkelaar 2010) and technological advancements that have expanded the ability of employers to engage in employee surveillance (Ajunwa et al. 2017), businesses engage in so-called cybervetting as part of the hiring process. Cybervetting is a practice also known as "…Internet surveillance, social media background checks, social media screening, online screening, social media profiling, or Facebook fired" (Berkelaar and Harrison 2017, p. 1). Employers can engage in a simple Google search and locate social media profiles of a job applicant and may further proceed to engage in a more sophisticated analysis of their digital footprint across platforms.
The number of organizations that are using social media to screen job applicants has dramatically risen; CareerBuilder (2018) found that the practice had increased from 11 to 70% in a decade. In this paper, we specifically focus on the use of social media data posted by a person or about a person to evaluate their job application; thus, we use cybervetting and social media screening interchangeably.
An organization's typical recruitment process includes: (1) engaging in a requirements analysis, (2) posting a job ad, (3) receiving and selecting desirable applications, and (4) making a final recruitment decision (Bizer et al. 2005). With the growing availability of online and social media data about the workforce, organizations' recruitment methods have evolved to include new types of data (Janta and Ladkin 2013). In particular, social media sources are now commonly consulted during the recruitment and hiring process in phases (3) and (4) as a filtering mechanism (Gandini and Pais 2017). New startups seeking to capitalize on the opportunity have emerged to offer fee-based social media screening services for employers and promise sophisticated technological screening to determine "fit" (including family histories), reveal negative attributes (such as drinking or sexual posts), and identify other risks that could jeopardize the company ("RiskAware" 2017).
More than half of the employers who use social media screening admit that they have not hired someone because of what they have found online (CareerBuilder 2014). Yet, there appears to be a large disconnect between this reality and people's perceptions of how common it is for social media to have a negative impact on one's hirability. For example, even though previous research confirms that young people have high awareness of employers' use of social media for screening (Hurrell et al. 2017), another study shows that only 2% of social media users think that their social media posts have caused them to get fired or not be hired (Smith 2015). More companies are engaging in social media screening and people's awareness of social media screening is growing, yet individuals still do not believe that their social media activities are impacting their employment, which masks the reality that people's livelihoods may be impacted because of this practice. The practice of cybervetting becomes even more significant for young people who are trying to position themselves in the workforce as they often struggle to find secure well-paid positions and enter the labour market.
Using stakeholder management theory, we investigate young people's concerns with their publicly available social media data being used in the specific context of job hiring. While previous research has analyzed job candidates reactions to potential employers asking for their social media login information (Drake et al. 2016;McEwan and Flood 2017), our research analyzes perceptions of privacy for social media data that is already public and, as such, does not require any login information to obtain. The research is contextually situated at the interplay of the necessity of hiring the best people with limited resources, the organizational response of engaging in social media job screening, and the individual response of people expressing concern. In particular, with the focus on the individual response, we follow prior research that suggests there may be a relationship between an individual's comfort with this growing practice and their gender (Peluchette and Karl 2008), job seeking status (Richey et al. 2017), social media use (Fogel and Nehmad 2009), and privacy concerns (Osatuyi 2015;Ellison et al. 2011). Thus, we ask: What is the relationship between young people's comfort with social media screening and their gender, job seeking status, social media use, and privacy concerns?
We will unpack and substantiate this research question further in the following sections on the theoretical foundation and hypotheses.

Social media and privacy
Social media are becoming ubiquitous and embedded into the daily lives of many people; Facebook has reached 2 billion users and Instagram has over 800 million users (Statistica 2017a, b). 94% of online Canadian adults have at least one social media account . The benefits of using and engaging on social media have been well observed and include using the platforms for entertainment, social relationship building and maintenance, information seeking, and self-presentation (Ellison et al. 2007;Quan-Haase and Young 2010;Whiting and Williams 2013).
A by-product of the large-scale adoption of social media is social media data mining. Publicly available social media data is largely free and available to be legally used for any purpose by third parties. While social media companies themselves have unfiltered access to all the data and interaction data that is provided to them, third parties similarly have extraordinary access to public social media data that can be collected and analyzed using APIs or through thirdparty data resellers, such as Gnip and DataSift, who harvest and neatly package the data. The data is used to gain perspective on human behaviour and human interaction (Helm 2018;Kennedy 2016), and can be leveraged by individuals, governments, and corporations for strategic benefit, such as marketing and human resources.
The insights from social media data have also been used to influence how people vote, as the recent Cambridge Analytica scandal has shown (Rosenberg and Dance 2018). But unlike Cambridge Analytica where data was mined, the focus of our study is on "publicly" available social media data. What constitutes information that is "public" has long been debated and has largely been situated around "reasonable expectations of privacy" (Tverdek 2008). In the current social media landscape, "public" social media is available to be mined, analyzed, and used. Therefore, a password protected Facebook group is considered private, whereas an open exchange on Twitter is considered public (Townsend and Wallace n.d.). The privacy setting not only impacts who can see the social media posts, but who can capture the data and surrounding metadata and transactional data. For example, when a person first creates a Twitter account, the tweets are public by default, which means that any other account-person, organization, or bot-can view, follow, and interact with that user.
Young people are widely recognized as being heavy users of social media (Chen and Cheung 2018;Hargittai 2010;Williams et al. 2012). As evidenced in the repeated declaration in the media that privacy is "dead," the overwhelming ethos in popular culture is that young people do not care about privacy. With the constant tweeting, posting, and snapchatting, how could a generation that is "obsessed" with social media be concerned about privacy? Often described as "digital natives" (Palfrey and Gasser 2010), this-loosely (and often poorly) defined-generation is made up of young people born into a world of technology with the accompanying assumption that they have the comfort, digital skills, and literacy needed to navigate it successfully. However, some scholarly research points to young people having significant and nuanced privacy concerns on social media (Bailey and Steeves 2015;Marwick et al. 2010;Regan and Jesse 2018).
The traditional approach to privacy assumes that rational actors understand the risks and benefits of disclosure, while engaging in logical decision-making regarding their privacy. Westin (2000) puts forward the traditionalist typology of privacy by identifying three categories of consumers based on their privacy concerns: fundamentalist (high concern), pragmatist (medium concern), and unconcerned (low concern). Sheehan (2002) expanded on earlier work by introducing a four-part typology of online users: unconcerned internet users, circumspect internet users, wary internet users, and alarmed internet users. Rather than merely focusing on the level of concern, Drennan et al. (2006) focused on the behavioural responses to privacy concerns and developed a three-part typology: privacy-aware, privacy-suspicious, and privacy-active types. Building on this scholarship, Burkell and Fortier (2016) identified three privacy types on Facebook: personal users (strongest privacy expectations), image controllers (less strong privacy expectations as they recognize Facebook content is meant to be shared), and relaxed displayers (lowest privacy settings).
While the traditional approach to privacy assumes a logical decision-making process or "privacy calculus," an understanding of the true costs and benefits of the decision are not only complex, but also context specific (Acquisti and Grossklags 2005;Litt 2012;Loh 2018). Given the spread of big data analytics, there is a need to think differently about privacy (Mai 2016) as it is impossible, or extremely difficult, for people to fully comprehend, or imagine, how the data is going to be used or could be used in the future. The value of social media data is not merely in analyzing the posts or photos, but in how the data is used and processed by third parties (Kennedy 2016), such as prospective employers. The pragmatic approach to privacy, or the rational consumer choice approach, is problematic as it puts the burden and responsibility on the individual to understand and decide what is the best privacy option for them (Draper 2016). Further, purely adopting the rational cost-benefit calculation of privacy would result in an oversimplification as it does not account for emotion (Lutz and Strathoff 2014;Stark 2016). Information type, context, and institution are important considerations in people's decision-making regarding what information to share (Marwick and Hargittai 2018). Nissenbaum's (2011) contextual integrity is a conceptual framework that outlines the importance of context (the data subject, the data sender, the recipient of the data, the information type, and the transmission principle) in personal information flows. It challenges some traditional conceptions of privacy, rejects the public versus private information dichotomy, and demands that the use of information be appropriate to the specific context. We embrace a contextual understanding of privacy (Nissenbaum 2011) by specifying the job hiring context and further considering different types of publicly available user data from social media that can be used for cybervetting.

Stakeholder theory
Stakeholder theory was introduced by R. Edward Freeman in his 1984 seminal book, Strategic Management: A Stakeholder Approach. Stakeholder theory suggests that corporate governance of organizations has a responsibility towards a broad spectrum of stakeholders, and corporations need to understand the context of their various stakeholder relationships (Berman and Johnson-Cramer 2016;Freeman 1984). With an explicit organizational commitment to ethics, this theory runs counter to traditional shareholder theories that do not recognizes the "plurality of values"; stakeholder theory contends that the interests of all groups-or stakeholders-that are, or can be, impacted by an organization need to be considered (Freeman 1984). Rather than serving a single purpose, stakeholder theory provides a framework that serves a range of purposes (Freeman et al. 2010): "Unlike economic theory which aims at prediction, stakeholder theory aims to guide managerial action" (Visser et al. 2010, p. 375). Clarkson (1995) defines stakeholders as "persons or groups that have, or claim, ownership, rights, or interests in a corporation and its activities, past, present, or future" (p. 106). Identification of stakeholders is largely divided into primary stakeholders-who have a formal, contractual, or official relationship with the corporation, such as employees and customers-and secondary stakeholders-everybody else influenced by the corporation (Gibson 2000). Stakeholder theory is becoming an academic field due to the extensive application of the theory in business and society, as well as in information and communication research, yet there is further social scientific work that is needed as much of the field has yet to be explored (Berman and Johnson-Cramer 2016) and critically applied using empirical data.
Young people have generally been neglected and overlooked in stakeholder theory (Ville 2014). Donaldson and Preston (1995) explicitly recognize job applicants as stakeholders-as demonstrated in their declaration that "potential job applicants, unknown to the firm, nevertheless have a stake in being considered for a job (but not necessarily to get a job)" (p. 85). However, prior research on potential job applicants has analyzed organizational attractiveness (Greening and Turban 2000;Tsai and Yang 2010;Turban and Greening 1997), but has largely neglected the perspectives on the hiring process itself. Job applicants exist in a liminal space of potentially becoming primary stakeholders, while being secondary stakeholders at the time of application. Notably, Stone and Stone-Romero (1998) state that people's expectation of privacy needs to be protected in the job application process; however, they do not conduct empirical research to identify job applicants' privacy needs and, importantly, they were writing pre-social media. Accordingly, the vast majority of research in stakeholder theory has not analyzed the perspective of prospective employees as stakeholders, and in particular, there is a dearth of research on young job applicants as stakeholders, and our research seeks to fill this gap.
While stakeholder theory can be approached from a descriptive perspective that explores how organizations interact with stakeholders or an instrumental perspective that emphasizes the business case for adopting stakeholder management, in this research, we adopt a normative perspective to stakeholder theory that identifies the treatment of stakeholders based on moral principles (Jawahar and McLaughlin 2001;Mellahi et al. 2010). The normative perspective considers how organizations treat people (Jones and Wicks 1999), which we extend to people's social media data. The normative perspective of stakeholder theory contends that organizations "ought to view the interests of stakeholders as having intrinsic value" (Jones and Wicks 1999, p. 209), which our research embraces by developing an understanding of the perspectives of young job applicants as stakeholders. Accordingly, we use stakeholder theory to specifically explore and deeply analyze job applicants' concerns with social media screening as a way to inform organizational business practices.
There is a growing area of research that has sought to develop definitional precision of stakeholder theory; however, there has been little emphasis on the inclusion of a new form of corporate data: social media data. By identifying the asymmetries of the current power relations between data producers (job applicants) and data consumers (hiring organizations), this research begins from a place of recognizing and validating young job applicants as valid stakeholders whose concerns need to be carefully considered in business operations-specifically job hiring practices.

Hypothesis 1
We begin by testing the relationship between gender 1 and comfort with social media screening. Previous research repeatedly indicates that women tend to be more risk averse (Finucane et al. 2000;Forsythe and Shi 2003) and have higher privacy concerns in both online and offline spaces (Garbarino and Strahilevitz 2004). This tendency is apparent across age groups: Youn and Hall (2008) found that girls have higher privacy concerns and perceive higher levels of risks than boys. In the context of location-based services, Mao and Zhang (2014) found significant gender differences with women being more aware of and concerned with privacy issues. Peluchette and Karl (2008) evidenced that women were more concerned than men with employers seeing information on their social networking sites. Well aligned with the current study, Hoy and Milne (2010) examined gender differences with online privacy and secondary use of information on Facebook amongst young people and found that, although concern was low amongst both women and men, women were more concerned about their privacy being invaded and they also had higher levels of privacy protection behaviours. While previous studies do not distinguish between publicly available or private social media data, we hypothesize that in the context of publicly available on social media: H 1 Women will be less comfortable with social media screening in comparison to men.

Hypothesis 2
Next, we turn to examining people's job seeking status. In a crowded labour market, people can use social media to help them positively stand out (Richey et al. 2017). According to the privacy calculus theory (Dinev and Hart 2006), people engage in a decision-making process to identify the costs of disclosing information versus the risks. As such, we hypothesize that job seekers have more to gain from social media screening, so will, therefore, be more comfortable than non-job seekers: H 2 Job seekers will be more comfortable with social media screening than those who are not on the job market.

Hypothesis 3
A growing body of literature has explored the relationship between privacy and self-disclosure (Bazarova and Choi 2014;Chang and Heo 2014). Recognizing the public nature of the internet, Fogel and Nehmad (2009) contend that people who post information about themselves are "more comfortable with the possible risks of their information being seen by others" (p. 159). Furthermore, those who have a higher number of public accounts may be engaged in strategic impression management and self-presentation (Goffman 1959; Leary and Kowalski 1990). Previous research by Dubois et al. (2020) found that the number of social media accounts an individual has significantly predicts the perception towards third party use of social media. Increased use of digital media increases one's media literacy (Livingstone 2004), which means an individual may modify their social media behaviour to limit their risks, resulting in higher comfort with the practice (Couldry and Powell 2014). As such, we hypothesize: H 3 The number of public social media accounts a person has will be positively associated with their comfort with social media screening.

Hypothesis 4
Concern for information privacy has been shown to negatively impact people's attitudes and practices on the internet more broadly, as well as specifically on social media. For example, people with higher privacy concerns are less likely to use social media platforms (Osatuyi 2015); they are less trusting of mobile advertising (Okazaki et al. 2009); and they share less online (Chennamaneni and Taneja 2015). As such, we hypothesize a negative relationship between a person's information privacy concerns in the context of social media use and their comfort with social media screening: H 4 People with higher concern for social media information privacy will be less comfortable with social media screening. Doolin et al. (2005) found that having a previous negative experience with online shopping (or even hearing about another person's negative experience) is negatively correlated with one's online shopping activity. Similarly, Okazaki et al. (2009) found that mobile phone users who had a previous negative experience with information disclosure had higher privacy concerns. Also related, Debatin et al. (2009) found that users who reported having a privacy invasion were more likely to change their privacy settings. While we do not test the same relationship, research evidences previous negative experience impacts concern, and as such, we hypothesize that the higher prior negative experience the lower the comfort:

Hypothesis 5
H 5 People who have experienced an invasion of privacy on social media will be less comfortable with social media screening.

Hypothesis 6
The final hypothesis tests the relationship between users' knowledge of their privacy setting and comfort with social media screening. Despite an individual's confidence in their ability to manage their privacy online, Suh and Hargittai (2015) found that there is a considerable lack of effectiveness in users' online privacy management as people often mistakenly share posts publicly. Similarly, Hargittai and Marwick (2016) found that young adults feel that they have little control over personal information that is posted online. People who are unsure of their privacy setting may have low digital literacy (Ellison et al. 2011). As such, we hypothesize: H 6 People who have knowledge of their privacy settings will be more comfortable with social media screening.

Method
After receiving approval from the Institutional Research Ethics Board, we collected data using an online survey. The survey was open from January 21 to April 11, 2017 and drew participants from the pool of undergraduate students at a Canadian university who signed up for the Student Research Participant Pool. Participation in the study was completely voluntary and the data was completely anonymized. Each student respondent received extra course credit upon completion of the survey. "Appendix A" includes the survey instrument.

Demographic and social media use
The survey asked general demographic questions, such as age, gender, and location, as well as questions about general online activities, social media use, and self-reported internet skills. Importantly, the survey specifically asked participants to identify whether their social media accounts are "primarily public," "primarily private," or "unsure." The survey also asked questions about participants' awareness of social media misuse and asked participants to report whether they personally have been a victim of a data privacy violation.

Measuring information privacy concerns
As a baseline measure for information privacy concerns, the survey asked questions about social media users' attitudes regarding the use of their social media data by third parties. We relied on a 14-question construct of Concern for Social Media Information Privacy (CFSMIP) (Osatuyi 2015), which was built by adapting Stewart and Segars' (2002) widely accepted construct of Concern for Information Privacy (CFIP) to the context of social media use. One of the main reasons for using this particular construct is because it fits well with the study's focus on users' concerns about organizational threats of social media data use. CFSMIP (and CFIP) assesses four main dimensions: concerns about collection of social media data by third parties (COL1-4), concerns about potential errors in users' information stored by organizations (ERR1-3), secondary use of social media data by third parties (SUS1-3), and unauthorized access by third parties (UAC1-4). Since CFSMIP is a multi-dimension construct and each dimension is measured based on 3 or 4 questions, we needed to ensure that relevant questions loaded on their corresponding dimension and that the measurement instrument for each dimension was reliable. Based on the Principal Components Factor Analysis, we discovered three factors that explain privacy concerns: Collection (COL), Errors (ERR), and a combined factor of Secondary Use (SUS) and Unauthorized Access (UAC) (see "Appendix B"). Although Cronbach's Alpha, rho A, and Composite Reliability were within the acceptable thresholds for all dimensions (Henseler et al. 2016;Hair et al. 2017), the Average Variance Extracted (AVE) value for the combined dimension of SUS and UAC was below the 0.5 threshold; thus, we removed it from the subsequent analysis. The discriminant validity was within the acceptable range for all remaining dimensions. In sum, we proceeded with two independent variables to assess users' information privacy concerns on social media: COL (the mean of COL1-4) and ERR (the mean of ERR1-3).

Measuring the comfort with social media screening (the comfort scale)
Prior research indicates that there is widespread knowledge of the practice of social media screening amongst young people (Hurrell et al. 2017); as such, the survey asked questions about students' attitudes toward their social media data being used by potential employers. These questions were used to construct the dependent variable as follows.
To ensure that knowledge of social media screening did not act as a moderating variable, participants were shown a textbased brief that identified some of the common ways that prospective employers screen job applicants using social media. Participants were asked to assess their comfort level with a prospective employer accessing various types of their publicly available information on social media. The use of a 7-point comfort scale has been commonly and successfully adopted in privacy research (Lin et al. 2012;Lipford et al. n.d.;Schrodt 2013). Frye and Dornisch (2010) asked participants to rate their comfort disclosing information on various communication tools (e.g., email and instant messenger) and found that people were least comfortable disclosing information on public blogs and pages; Cranor et al. (1999) assessed people's comfort with providing specific pieces of information to websites and argued that the comfort level rises if users are informed and trust the disclosed policies. Comfort has been widely assessed and validated as a valuable construct in various contexts across disciplines (see Spake (2003) for a review). The evaluation of participants' comfort in combination with participants' concern has been adopted in online privacy and disclosure research (Spake et al. 2011).
In our study, we use both privacy concerns (as an independent variable) and comfort (as the dependent variable representing users' attitudes towards a particular practice). Privacy concerns were used as a baseline measure of individuals' concerns with organizations' use of social media more broadly-irrespective of data type and context. The comfort scale measured individuals' perceptions of specific data types in the specific context of job hiring and has been developed and evaluated by previous research Jacobson and Gruzd 2018;Gruzd et al. in press). As the results of the research will indicate, the relationship between comfort and concern was weak, which confirms that these are indeed measuring different constructs.
As stated above, we specifically focused on information contributed by a user or by others on social media that is publicly available; in other words, such information has to be publicly accessible on social media platforms by others on the internet. In particular, we asked participants about nine different information types including: posts, photos, geolocation, frequent words, post frequency, sentiment, top posters (identification of the most prolific social media users), followers, and communication network. All questions were prefaced with a statement that asserted that only publicly available information is used (e.g. "Imagine that the following are your posts that show what you are saying on social media publicly.") Using a 7-point Likert scale where 1 = uncomfortable and 7 = comfortable, participants were asked, "How comfortable would you be if an employer uses information from social media about you to make a hiring decision?".
In an attempt to remove a potential bias in how participants perceived the social media information type questions, participants were randomly assigned to two groups where one group was shown text-based questions (n = 250), while the other group was shown visual-based questions (n = 232). For the purposes of this paper, we only focus on three information types: posts, photos, and top posters as there was no difference in participants' responses after viewing the visualbased versus the text-based question-as measured based on the Independent-Samples Median Test and Mann-Whitney U Test (see "Appendix C").
In summary, the dependent variable (HRComf) was calculated as the mean of the three comfort level questions: top posters (TopPostersComfort), posts (TweetComfort), and photos (MediaComfort). The reliability and validity of the new construct was assessed using Cronbach's Alpha (0.79), rho A (0.80), Composite Reliability (0.87), and Average Variance Extracted (0.70). All values were within their recommended thresholds and confirm the adequacy of the measurement instrument.

Data cleaning
In total, we received 556 survey responses. We cleaned the survey dataset by removing 25 responses by people who completed the survey twice (as the survey was open for several months, some participants may have forgotten that they completed the survey as some responses were two months apart). The "trap" question (attention check) asked, "Please select 'strongly agree' as your answer choice," and was inserted to screen participants who were not carefully reading the questions. We removed 42 survey responses that provided an incorrect answer to the trap question. We further removed 7 survey responses that had a completion time of less than 3 min in order to ensure a high quality of data responses. In total, after data cleaning, our dataset was comprised of 482 responses. The median completion time was 7 min and 44 s, and the mean completion time was 15 min and 29 s.

Data analysis
To test the proposed hypotheses, we used SPSS Version 24, statistical analysis software, to perform a linear regression using Automatic Linear Modeling (LINEAR) (Yang 2013). The model building method was "Best Subsets" using the Adjusted R Square criterion to select the best performing model identified by the highest adjusted R 2 . By comparing all possible models (Oshima and Dell-Ross 2016), the best subsets method avoids a potential bias by not selecting the order of variable entry (Huberty 1989). The resulting regression model tested whether the comfort level (HRComf) can be predicted by any of the following independent variables: Demographics: (1) gender and (2) employment seeking status; Social media use: (3) number of public accounts; Privacy concerns: (4) COL, (5) ERR, (6) previous negative experience, and (7) number of "unsure in privacy settings" accounts.
A P-P plot of residuals for the dependent variable (HRComf) supports the normality assumption of the residuals (see Fig. 1). Finally, we confirmed that there is no multicollinearity among the independent variables (all VIFs, variance inflation factors < 1.15, within the recommended threshold of 3).

Study participants
In terms of demographics, 65.1% of our survey participants self-identified as women (314 participants), 34.2% as men (165 participants), 0.4% as "trans* non-binary, two-spirit, genderqueer, other" (2 participants), and 1 participant elected not to disclose (See Table 1). 92.9% of the participant pool was under 25 years old (448 participants) and 90% identified that they were from Canada, which is to be expected considering that the participant pool was comprised of undergraduate students enrolled at a Canadian university.
In terms of employment, the majority of students engaged in some form of work during their higher education: 58.5% worked part time, 5.6% worked full time, and 2.1% were self-employed (See Table 2). 71.8% of participants were job seekers, which is defined as an individual that is likely to seek employment within the next 6 months.

Social media use
Participants were active social media users with 63.3% (n = 305) using at least one social media platform on a daily basis or more frequently. Participants had a presence on an average of six social media platforms. The top platforms by popularity were Facebook (97%), Instagram (92%), Snapchat (92%), YouTube (82%), Twitter (74%), and LinkedIn (64%) (see Fig. 2). The majority of participants (71.6%) have not experienced an invasion of privacy on social media (see Table 3).

Privacy settings
Social media platforms present a range of privacy settings, and individual users can elect their privacy setting at the platform level. While an individual may have a public setting on a particular social media platform, the affordances of many platforms are such that one can elect to engage in private activities even if one's account is public. For example, an individual can elect to send a private message on Twitter even if their privacy setting is public. Similarly, a person with a private Facebook account can choose to create a public post or have some types of information public, while others are only accessible to friends. Accordingly, we elect to use the terms "primarily public" and "primarily private" to account for the ways people actually use the platforms, rather than creating an arbitrary, and inaccurate, binary.
Of the average of six social media platforms that participants had a presence on, three were primarily public and three were primarily private; therefore, prospective employers would be able to access the data from an average per person of three social media platforms that are publicly available-and this is not even considering various techniques to access information from private online spaces via requesting users' password, paying for targeted ads, tracking cookies from a web browser, and other approaches. Our participants tend to have public setting on the majority of sites, including: Own Blog/Website (81.7%), LinkedIn (71.7%), Tumblr (70.8%), Twitter (60.7%), and Pinterest (59.5%). Participants tend to have private accounts on Facebook (82.7%), Snapchat (78.1%), and Instagram (60.7%). The distribution is relatively even on Reddit (50.0%), Meetup (45.5%), and YouTube (43.2%) (See Table 4).

Privacy uncertainty
While 73.7% (n = 355) of students knew the privacy setting on all their social media platforms, 26.3% of students (n = 127) did not know the privacy setting on at least one of their social media accounts (See Table 5). Of those who did not know the privacy setting on at least one of their platforms, 65.4% (n = 83) did not know their privacy setting on one social media platform, and 34.6% (n = 44) did not know their privacy setting on more than one platform.

Information type comfort
To assess people's comfort level with their social media data being used by prospective employers, we identified three different social media data types: (1) Posters, referring to the most prolific users who posted in a public group/page on social media, had a mean comfort of 4; (2) Posts, referring to users' public text-based posts on social media, had a mean comfort of 4; and (3) Photos, referring to users' public visual-based posts on social media, had a mean comfort of 3. As expected, participants have a lower comfort with photos being used in social media screening in comparison to text-based social media posts (see Table 6). Depending on the data type, between 41.7 and 53.1% of participants are uncomfortable with social media screening.

Hypotheses testing
The resulting model (see Table 7) explains only 4.3% of the total variance of the comfort level with employers' use of social media to screen job applicants. This is important as it suggests that some factors that have been previously identified in the literature (such as gender, job seeking status, the number of social media accounts used, and knowledge of privacy settings) do not generally translate very well to publicly available social media data. Given the results of the regression model, we reject H 1 (gender), H 2 (job seeking status), H 3 (number of public social media accounts), and H 6 (knowledge of privacy settings), and accept H 4 (information privacy concerns, but only partially) and H 5 (previous negative experience). On the one hand, young people's comfort with prospective employers using their social media data for job screening cannot be explained by demographic variable of gender. Women were not found to have higher privacy concerns at a statistically significant level. Aligned with Bergström's (2015) finding that there was no significant difference for privacy concerns amongst men and women in Sweden, this may suggest that women are engaging in pre-emptive privacy protection behaviours (Hoy and Milne 2010), or are managing their privacy for employment-related audiences (Hargittai and Litt 2013) and, as such, do not have higher concerns. Also, people's job seeking status, the number of public social media accounts, nor knowledge of their privacy settings can explain their comfort or discomfort with the studied practice.
On the other hand, young people's comfort with prospective employers using their social media data for job screening is partially explained by their concern for social media information privacy: there is a statistically significant and negative relationship between Collection and young people's comfort with social media screening (people who are more concerned with their data being collected by social media platforms and third parties are less comfortable with cybervetting), but not between comfort and Error. Also, people who had experienced an invasion of privacy were also less comfortable with cybervetting.

Discussion
This research contributes to our understanding of users' everchanging privacy expectation for publicly available social media data. We found that there is a relationship between comfort and one of the privacy concerns (COL) and having a previous negative experience, but many of the other factors previously identified in the privacy research were not applicable-including gender, job seeking status, social media use, and knowledge of privacy setting. This may suggest that there are other, or new, variables that need to be considered. Furthermore, considering that publicly available data comes from various social media platforms, the research sought to develop a cross-platform understanding of people's comfort with cybervetting. There may, however, also be platform-specific privacy concerns; for example, young people may use some social media platforms for purposeful professional reputation management (e.g., LinkedIn), while other platforms could be used for personal reasons and socialization which young people are not comfortable having used for cybervetting-even though the information is publicly available. Although most of the factors that were tested in the regression model were not significant and the overall explanatory power of the model was very low (adjusted R 2 of 0.043), it does not mean that young people are comfortable with the practice of social media screening; in fact, about half of the participants were not comfortable with their publicly available social media data being used for social media screening; for example, 49.6% were uncomfortable with their public posts being used.
One of the results related to job seeking status is especially relevant in the context of stakeholder theory that was used to guide this study. With a commitment to organizational ethics, stakeholder theory contends that organizations have an explicit responsibility towards a spectrum of stakeholders including job applicants. As such, organizations cannot assume that people are comfortable with cybervetting-even if they are on the job market. This conclusion is also supported by the fact that 26.3% of participants do not know the privacy setting of at least one of their social media accounts, which speaks to the need for further social media data literacy at the individual and organizational levels. Organizations need to be cognizant of the fact that prospective employees might not intentionally share the information publicly.
The use of digital technologies in the workplace reconfigures work and employment (Howcroft and Taylor 2014), which introduces both opportunities and risks for employers and employees (Archer-Brown et al. 2018). The introduction of new technologies in the workplace has afforded increased organizational control (Pedersen et al. 2014). The practice of employers seeking to surveil and control their employees is not new as workplace surveillance has sought to improve worker efficiency and deter workplace misconduct (Ajunwa et al. 2017). These organizational practices can be met by worker resistance (Bain and Taylor 2000) and negative reactions by employees (Ball and Margulis 2011;Jeske and Santuzzi 2015). There is a clear incentive for employers to align their Table 7 Result of automatic linear analysis The suffix "transformed" in COL, Gender, and TotalSMaccountsPublic indicates that the Automatic Linear Modeling (ALM) procedure automatically trimmed outliers by setting them to a cut-off value of three standard deviations from the mean for each of these variables. The "A1" value of the PrivacyVictim variable corresponds to the "yes" answer. Unsure variables were not included in the final model, as their inclusion did not improve the Adjusted R 2 square organizations' ethics with young people's expectations: organizations will be able to attract and keep these young employees (Weber 2017). If job applicants are aware of and not comfortable with an organization's social media screening practices then applicants may elect not to apply to the organization, and the organization may, consequently, lose the opportunity to recruit high-quality applicants. Alternatively, employees may lose trust in an organization if they later learn about the social media screening, which may similarly impact an organization's ability to recruit and retain the best candidates.
Further, organizations engaging in social media screening may open themselves up to claims of discriminatory hiring. Hiring is not a value-free and neutral process whereby the "best" applicant is offered the job; hiring discrimination has been well documented based on gender (Petit 2007), sexual orientation (Horvath and Ryan 2003), weight (Agerström and Rooth 2011), ethnic and racial identity (Derous et al. 2009), disability (Gouvier et al. 2003), mental health (Krupa et al. 2009), and so forth. Hiring discrimination is further compounded with people's intersectional identities, such as being a woman with a disability (O'Hara 2004). In addition to the existing forms of hiring discrimination that can be compounded, new forms of discrimination could emerge with social media screening, such as influence detection (whereby a lack of network influence is detrimental) or the introduction of predictive analytics (such as using photo filters to predict mental health). Clark and Roberts (2010) have argued that "online character checks" harm society (p. 514) and conclude, "Rather than expecting users of SNSs [Social Networking Sites] to change their behavior by not posting anything they do not want an employer to view, we argue that it is better for society for employers not to enter an employee's virtual front door" (p. 519). With public social media data, the door is wide open, and individuals seeking employment do not know who has entered, what was gathered, and what assumption was made based on what was found. We contend that if organizations are to recognize job applicants as stakeholders, then they also need to recognize job applicants' concerns with social media job screening. More specifically, social media data ethics needs to be included in organizations' corporate social responsibility agendas and ethical corporate governance. One way for organizations to accomplish this is for transparency to be built into the hiring process and for organizations to clearly state their screening process.
There is a move towards regulating the job hiring process; for example, in 2017, the European Union's advisory body issued new guidelines that recommend barring employers from compiling social media data during the job hiring process unless it is "necessary and relevant" and further requiring employers to disclose if they are going to engage in cybervetting (Article 29 Data Protection Working Party 2017). Despite the lack of, or limited, laws that prescribe acceptable use of this practice, as a proactive step towards self-regulation, employers should clearly declare if they engage in cybervetting and specifically outline what social media platforms will be examined during the hiring process. In a move towards more ethical hiring practices, we recommend that employers allow job applicants to self-declare the social media accounts they would like to include as part of their job application.

Conclusion
In this paper, we embraced stakeholder theory to analyze young people's concerns with social media job screening to recognize job applicants as stakeholders and to inform organizational practices. Our research evidences that about half of the study participants were generally not comfortable with the practice of social media screening. We also found that the variables that have previously been identified in the privacy literature do little to explain this. Overall, the findings speak to the complexity and nuanced nature of individuals' understanding and perception of employers using social media data for job screening. As such, we argue that business ethics in the twenty-first century need to include considerations of job applicants' social media data privacy. We hope the research can guide managerial action in adopting appropriate ethical policies and processes for social media job screening, as outlined in stakeholder theory.
Our research supports the scholarship that suggests that ethics must be considered even if the data is public (Boyd and Crawford 2012). While individuals may indeed be posting publicly on social media, there is no way of fully comprehending how the data is, or can be, used now and in the future. Beyond a simple review of social media posts, social media analytics can be employed to analyze the public data in ways unbeknown to the original author. While the use of predictive analytics in social media-such as using social media posts to detect depression (Shen et al. 2017)-have begun to emerge, organizations and society need to be vigilant to ensure that the power relations do not become so unbalanced and unfair that job applicants are no longer considered stakeholders.
There are a few limitations to this research. The sample size of 482 students at one Canadian university limits the generalizability of findings that can be applied to a broader population. The quantitative data collection of this research does not afford an understanding of why people are comfortable or uncomfortable with the practice of social media screening. We encourage future work to continue this line of research using different user populations and methods, such as interviews or focus groups, to develop a nuanced understanding of the possible motivations and rationales. Furthermore, the survey did not use participants' own data for various reasons: (1) to not add uncontrollable variables that could influence the results, (2) to protect participants' privacy, and (3) to ensure participants considered all of their social media, rather than a sample, as this is what recruiters are able to access. If participants were shown their own data then the results may differ; for example, an individual may see a photo that they would be particularly embarrassed by.
To extend the findings of this research, future work could identify if and how young people are engaging in impression management practices on social media to determine if they purposefully adopt positive self-presentation strategies: do those who are comfortable with social media job screening employ careful self-censorship and impression management strategies to strategically foster a positive first impression on social media for employers? In addition, future work could analyze whether social media use is a mediator of comfort with this practice. Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creat iveco mmons .org/licen ses/by/4.0/.

Appendix A: Survey instrument
See Tables 8, 9, and 10   (2015), and Stewart and Segars (2002) To what extent do you agree with the following statements: (7-point agreement/disagreement Likert scale) Collection (COL) COL1 It usually bothers me when social media sites ask me for personal information COL2 It usually bothers me when social media sites ask me for my current location information COL3 It bothers me to give personal information to so many people on social media COL4 I am concerned that social media sites are collecting too much personal information about me Errors (ERR) ERR1 Social media sites should take more steps to make sure that personal information in their database is accurate ERR2 Social media sites should have better procedures to correct errors in personal information ERR3 Social media sites should devote more time and effort to verifying the accuracy of the personal information in their databases before using it for recommendations Secondary use (SUS) SUS1 Social media sites should not use personal information for any purpose unless it has been authorized by the individuals who provide the information SUS2 When people give personal information to social media sites for some reason, these sites should never use the information for any other purpose SUS3 Social media sites should never share personal information with third-party entities unless authorized by the individual who provided the information Unauthorized access (UAC) UAC1 Computer databases that contain personal information should be protected from unauthorized access-no matter how much it costs UAC2 Social media sites should take more steps to make sure that unauthorized people cannot access personal information on their site UAC3 Databases that contain personal information should be highly secured UAC4 Social media sites should delete a user's account if they illegally access another user's personal information How comfortable would you be if an employer uses this information about you to make a hiring decision? [Likert scale 1-7; 1 = uncomfortable, 7 = comfortable] Photos Imagine that an employer can view photos that you shared on social media publicly

Appendix C
Comparing the medians and distributions of the comfort scale questions between responses of Group A who saw visualization-based questions and Group B who only saw text-based questions.